IT Risk Management: developed for a tier 1 German bank

Challenge and Regulatory Context

Establish specific processes for the management and control of IT risks against a background of rising global concern about the threats they pose

Meet the most current IT risk requirements arising from the European Central Bank’s SREP guidelines and the German regulator MaRisk, including the integration of IT risk management (ITRM) into the existing OpRisk control

Success

Design and implementation of a scenario-based ITRM approach, taking into account the requirements of the COBIT5 industry standard

Ensured method consistency between ITRM and OpRisk control

Design and implementation of an IT risk inventory adhering to regulatory reporting requirements

Approach

As a framework condition for the design of the ITRM we had to ensure consistency with the methodological requirements of OpRisk control

Based on the COBIT5 industry standard we derived sample scenarios for ITRM which were evaluated by the client’s individual IT units through a structure of workshops and departmental participation

Scenarios were recorded in the IT risk inventory and were used to derive OpRisk scenario analyses in the IT field

Based on the information in the IT risk inventory, a quarterly management reporting process was designed and implemented